Return to site

9 Takeouts from 2nd ASEAN Regulatory Summit

· cybercriminal,reputation risk,Governance

USQ Vice Chairman, Leesa Soulodre was seen leading the conversation on reputation risk management at the recent Thomson Reuters 2nd Annual ASEAN Regulatory Summit.

As Chief Reputation Risk Officer and Managing Partner, RL Expert Group, she had the opportunity to collaborate with Ernst & Young Lead Partner Cybersecurity Asia Pacific,Paul O'Rourke, Counter-espionage Expert and Managing Director of Jayde Consulting,Julian Claxton, and Thomson Reuters Senior Editor, Patrick Fok to lead a Cyber Breach simulation.

The event triggered robust debate among the audience of senior governance, risk and compliance practitioners, and leaders from across the region.

Key takeouts from Paul O'Rourke, Lead Partner, Cyber Security Asia Pacific at Ernst and Young:

  1. Where to invest? - As there is a high inevitably regarding cyber compromises, organisations need to be adequately prepared to respond in the event of a breach There needs to be a rebalancing of investment from prevention, to detection, containment, and response.
  2. Where to focus? - Critical to improving an organization's cyber resilience is a focus on culture, education, and awareness, with a top-down culture essential.
  3. What to change? - Organisations should consider implementing or adapting a cyber risk appetite, which will help define the level of cyber risk they are prepared to accept.

Key Takeouts from Expert Julian Claxton, Counter Espionage Jayde Consulting

  1. Don't be an enabler - organisations need to ensure that robust security policies and procedures are in place AND enforced. This should include regular risk and vulnerability assessments, with recommended treatment options implemented. It is both surprising and concerning to see how few organisations maintain a dynamic risk register or even undertake regular security reviews.
  2. Limit access to information - Whether electronic or paper-based, not everyone within an organisation necessarily needs to have access to everything. For example, a Human Resources Manager need not have access to financial documents or marketing plans, nor the offices where such information is stored. Too often, we see that employees are given full and free physical access to all areas of a tenancy, at all hours of the day; or unrestricted access to data servers. This is unnecessary and makes it difficult to contain information, or determine who has accessed what, in the aftermath of a breach. It is also important for organisations to appropriately vet staff with unprecedented access to data. This should include pre-employment, bankruptcy, and criminal history checks. Whilst not foolproof, this makes for an excellent baseline.
  3. Read the signs - Often there are telltale signs in the lead up to a crime. Organisations need to make use of existing 'intelligence'. People are creatures of habit and will ordinarily come and go at roughly the same time, will access certain information in a uniform manner, and will generally maintain a fixed routine from day to day. Changes to these routines or habits may indicate an emerging issue. These might include the type of information an employee is accessing on a server (particularly if it doesn't relate to their core function at work), unusual changes to their working hours or office access (such as weekends or overnight), out of character questions or behaviour; and many other similar examples. This is only a snapshot of the 'intelligence' at hand within most organisations, however, they cover some of the more likely indicators. Look for the anomalies!

Key Takeouts from Leesa Soulodre, Chief Reputation Risk Officer, and Managing Partner, RL Expert Group:

  1. What to Communicate? The facts. In any major breach event, a company’s stakeholders need the facts in order to be able to adequately assess the situation. They want to know:
  • What has happened
  • What and who has been affected? Where?
  • When did it happen?
  • Who is involved?
  • What caused the breach?
  • What has been done to ensure it does not happen again?

2. What to do? Take Accountability. Often breaches are linked to other parties in your value chain who may have some level of contractual responsibility. However, there is significant research and market performance evidence that demonstrates that by laying blame at your 3rd parties or partners, this only serves to harm everyone involved and often can only delay the effective 1) execution of recovery and 2) stakeholder engagement.

A company is better to accept accountability, take ownership of all activities for effective execution and pursue the appropriate recourse/ compensation with third parties and partners at a later date. The faster the company is to apologize, to show empathy to its victims and to be seen to be addressing the issues so that it can never happen again, the more likely it is to preserve its reputational equity and retain its social license to operate.

3. What to assess? Expand enterprise risk management to include reputation risks and include a risk assessment process that includes factoring outrage and velocity. Modify your formula for risk assessment. Today given the interconnected of risks and a 24 x 7 x 365 news cycle: Risk = hazard + outrage + velocity x probability (Soulodre, 2014). In this context "outrage" can be assessed by using a proxy of the volume and velocity of negative expressed stakeholder sentiment (internal + external) measured by both weighted volume + variety.

If you enjoyed these takeouts, read the full 3 part series, that covers the highlights from the Cyber breach simulation delivered at the Thomson Reuters 2nd ASEAN Regulatory Summit in Singapore on the 1st September 2016. Part 1 covers the breach, Part 2 covers the ransom and Part 3 covers managing the fallout. If you enjoyed this series, Leesa will continue the discussion on cyber crime and data privacy at the Pan-Asian Regulatory Summit that is taking place on the 8th & 9th of November, 2016 at the Grand Hyatt in Hong Kong. For the full agenda and details on how to register, please visit the website.

All Posts

Almost done…

We just sent you an email. Please click the link in the email to confirm your subscription!